This extract comes from When to Think About Cybersecurity in Medical Devices and What You Must Do, the first booklet in our recent Regulatory Booklet Series. The series explores the core regulatory requirements medical device companies need to understand when developing new products.
One thing is clear: delaying cybersecurity decisions can delay market entry. A recent example involved a company developing a connected device to refrigerate bio samples. When the FDA broadened its definition of a “cyber device” to include anything capable of being connected, the company spent two years arguing that cybersecurity controls shouldn’t apply to them. The FDA didn’t move. That resistance cost them two full years — all because they didn’t want to invest in proper cybersecurity.
As John O’Gorman, Principal Technology Officer – Cybersecurity & Data Analytics at S3 Connected Health, puts it:
“If you don’t assess your current cybersecurity capabilities, you can’t build a compliant or secure medical device. Cybersecurity maturity must be thoroughly assessed before development begins.”
John O’Gorman, Principal Technology Officer – Cybersecurity & Data Analytics, S3 Connected Health
Ensuring strong cybersecurity across the entire lifecycle of a medical device — while keeping pace with evolving regulatory expectations and standards — is a significant challenge. From initial design through postmarket surveillance, the technical, regulatory, and operational demands continue to grow.
Before diving into the specifics, it’s useful to take a step back and look at the core areas where cybersecurity gaps most often appear. The checklist below brings those elements together in one place, making it easier to assess where your organization stands and what may need attention. By reviewing these fundamentals early, teams can identify weaknesses long before they become costly delays later in the development lifecycle. To build a long-term vision for data, it is essential to establish clear objectives that align with the company's overall mission and business goals, ensuring that all data initiatives serve a common purpose.
Cybersecurity gaps checklist
1. Cybersecurity readiness assessment
Have you evaluated internal cybersecurity maturity and capability?
Evidence: Assessment report, gap analysis
2. QMS integration
Does your QMS (ISO 13485) include cybersecurity controls and change management?
Evidence: Updated SOPs, training records
3. Risk management linkage
Are cybersecurity risks integrated into ISO 14971 risk files?
Evidence: Updated risk management file
4. Threat modeling
Do you maintain threat models and update them after architecture changes?
Evidence: Threat model reports
5. Secure design and coding
Do you follow secure coding standards (MISRA C, OWASP, CERT)?
Evidence: Coding guidelines, static analysis reports
6. Security testing
Are you performing fuzz, vulnerability, and penetration testing aligned with UL 2900?
Evidence: Test plans, reports
7. SBOM management
Do you maintain an up-to-date SBOM and monitor CVE databases?
Evidence: SBOM file, vulnerability tracking logs
8. Regulatory submission alignment
Does your submission cross-reference FDA and EU MDR cybersecurity requirements?
Evidence: Submission package, mapping matrix
9. Postmarket monitoring
Do you monitor FDA advisories and update risk assessments accordingly?
Evidence: Monitoring logs, updated risk reports
10. Incident response
Is there an incident response and disclosure process aligned to FDA/HIPAA expectations?
Evidence: Incident response plan, training, communication templates
If you want to explore these topics in more depth, our Regulatory Booklet Series delves into the requirements that shape cybersecurity across the entire device lifecycle. You can find the full series on our landing page, including the first booklet, "When to Think About Cybersecurity in Medical Devices and What You Must Do," which offers additional resources to help you strengthen your approach.
